Mariposa: How Exposed Are We?

The Application and Threat Research Team has done a great job of provide insight into what the Mariposa threat as well as how to quickly analyze their networks to see if Mariposa is present via the WireShark plugin. Based on the applications that Mariposa uses to spread itself exactly how exposed are we? To gain some perspective on the levels of exposure, I took a look at our traffic analysis database and found that more than 85% of the organizations have at least one of the Mariposa spreaders.

Some history is necessary here. Part of our customer engagement process is to place a Palo Alto Networks firewall in a customer network for evaluation purposes. At the conclusion of the evaluation, we extract log data and provide a traffic assessment report. We currently have log data on 363 different organizations. http://www.paloaltonetworks.com/request-AVR.html

Mariposa spreads itself across nine different P2P networks including: Ares, Bearshare, Direct Connect, eMule, iMesh, Kazaa, Gnutella, BitTorrent, (via LimeWire client), and Shareaza. Essentially, for each P2P network, there is a Mariposa foldershare feeding the bot executable. In addition to P2P applications, MSN Instant Messaging is also used as a spreader.
Most commonly found applications that are capable of spreading Mariposa (out of 363 organizations).

Some more detailed analysis of the 363 organizations for which we have data exposed some sobering statistics:

312 (86%) of the organizations had at least one of the P2P applications used by Mariposa.

An average of three of the nine P2P applications were found in each organization.

Total bandwidth consumed by the P2P applications that spread Mariposa was 17.3 terabytes or an average of 55 gigabytes per organization.

Session consumption by P2P spreaders was 555 million or 1.8 million sessions per organization average.

MSN was found in 322 of the organizations (89%). Resource consumption per organization was 2.8 gigabytes of bandwidth and 67,400 sessions respectively.

With MSN appearing in 89% and an average of three P2P applications appearing in more than 85% of the organizations I would speculate that many organizations are exposed. The bandwidth being transferred and the sessions being consumed indicates fairly heavy usage which increases the exposure dramatically.